Building API key management from scratch means hashing, rate limiting, usage tracking, key rotation, and analytics. Unkey gives you all of this as a service with a 3-line integration.
What Unkey Gives You for Free
- 250K verifications/month on free tier
- API key creation — generate keys with metadata, expiration, rate limits
- Key verification — sub-millisecond verification at the edge
- Rate limiting — per-key or per-endpoint, sliding window
- Usage analytics — track API usage per key
- Key management UI — dashboard to create, revoke, rotate keys
- Temporary keys — auto-expiring keys for trials or sessions
- TypeScript SDK — fully typed
Quick Start
npm install @unkey/api
Create an API Key
import { Unkey } from '@unkey/api';
const unkey = new Unkey({ rootKey: process.env.UNKEY_ROOT_KEY! });
const { result } = await unkey.keys.create({
apiId: 'api_123',
prefix: 'sk',
meta: { userId: 'user_456', plan: 'pro' },
expires: Date.now() + 30 * 24 * 60 * 60 * 1000, // 30 days
ratelimit: {
type: 'fast',
limit: 100,
refillRate: 10,
refillInterval: 1000 // 10 per second
},
remaining: 1000 // Max 1000 total uses
});
console.log(result.key); // sk_1234567890abcdef
Verify a Key (In Your API)
// middleware.ts or API route
import { verifyKey } from '@unkey/api';
export async function middleware(req: Request) {
const key = req.headers.get('Authorization')?.replace('Bearer ', '');
if (!key) {
return new Response('Missing API key', { status: 401 });
}
const { result, error } = await verifyKey(key);
if (error || !result.valid) {
return new Response('Invalid API key', { status: 403 });
}
// Access metadata
console.log(result.meta.userId); // 'user_456'
console.log(result.meta.plan); // 'pro'
console.log(result.remaining); // Uses left
console.log(result.ratelimit); // Rate limit status
}
Rate Limiting (Built Into Keys)
const { result } = await unkey.keys.create({
apiId: 'api_123',
ratelimit: {
type: 'fast',
limit: 10, // 10 requests
refillRate: 10, // Refill 10
refillInterval: 60000 // Per minute
}
});
// During verification:
const { result } = await verifyKey(key);
if (result.ratelimit?.remaining === 0) {
return new Response('Rate limited', { status: 429 });
}
Use Cases
- SaaS API keys — give each customer a key with usage limits
- Webhook verification — temporary keys for webhook callbacks
- Trial access — auto-expiring keys with limited uses
- Internal services — API keys for microservice communication
- Mobile apps — per-device API keys with rate limiting
Unkey vs DIY vs Auth0 Machine-to-Machine
| Feature | Unkey | DIY (database + hashing) | Auth0 M2M |
|---|---|---|---|
| Setup time | 5 minutes | Days | Hours |
| Rate limiting | Built-in per key | Build yourself | Separate |
| Usage tracking | Built-in | Build yourself | Separate |
| Key rotation | Dashboard + API | Build yourself | API |
| Edge verification | Yes (global) | Depends | Yes |
| Free tier | 250K verifs/mo | Self-hosted | 1000 tokens |
The Verdict
Unkey turns API key management from a multi-day engineering project into a 5-minute integration. Rate limiting, usage tracking, expiration — all built in. If your product has an API, Unkey manages the keys.
Need help building production web scrapers or data pipelines? I build custom solutions. Reach out: spinov001@gmail.com
Check out my awesome-web-scraping collection — 400+ tools for extracting web data.
Top comments (0)